cPanel is a Unix based fully featured popular web based hosting account control panel that helps webmasters to manage their domains through a web browser. The latest version of cPanel & WHM is 11.34, which is vulnerable to multiple cross site scripting.

During my bug hunting process, today I (Christy Philip Mathew) discovered some serious XSS vulnerabilities in official cPanel, WHM. It also impact on the latest version of software.

This week, Rafay Baloch (Pakistani white hat hacker) also discovered another reflective cross site scripting vulnerability in cPanel at manage.html.

The interesting part would be the whole demonstration I done with the Official cPanel Demo located at http://cpanel.net/demo/ location, can be accessed via demo user & password provided by cPanel website itself i.e. http://demo.cpanel.net:2086/login/?user=demo&pass=demo

These vulnerabilities actually affect the logged in users. Proof of Concept and screenshots are as shown below: